Jeremiah Grossman's tweet drew my attention to Gary McGraw's article on web apps and software security. Mr. McGraw assumes that web apps and software security are different things. At one point he states:

...by understanding how particular Web attacks work, we can both uncover particular versions of such problems in real software, and we can also learn to avoid certain particular problems. [italics added]

The distinction about "real software" is a strange bias, and just because a piece of software can be attacked over HTTP does not make it less "real." It's all software. Advances in securing web software are advances in the overall field of software security.

Other than revealing a strange bias against web applications, the article makes the point that techniques effective in one software security domain may or may not be effective in another domain. There is not a one true way to do software security.

This point was also made recently by Microsoft's Bryan Sullivan in discussing how they've streamlined their security development lifecycle for agile development, particularly for web apps. Microsoft found that the techniques used for securing desktop applications with longish development efforts was not suitable for the rapid turnaround environment of web software. So they made adjustments to their security process.

I'm reminded of a saying (I'm not sure where I picked it up), that best practices are what you do when you don't have the time or flexibility to do what's right. Blind adherence is never good. Stay flexible and adapt.

Dedication

My grandfather had a wonderful shop in his basement. To me, it was a place of mystery and fascination, and I would spend hours wandering through it, looking at all the tools and projects in various states of completion. Not being much of a wood worker, I've never had the need for such a shop (not to mention that I lack a basement), but recently it occurs to me that my gear, computers, and software are my shop. This site is for my late grandfather and everyone else who takes personal pride in carefully executed work.